Neil Naveen

> @ccordoba12, I don't know anything about the security issues referenced. I do not understand what the proposed change accomplishes. I also wonder, assuming that the proposed change is appropriate:...

> Thank you for your pull request @neilnaveen! Welcome to the community. I am wondering, for workflows that are reused from `mdn/workflows`, should we not set these from that repo...

> @neilnaveen I'm not an expert on this, despite trying to read to documentation links you've provided. > > could you explain > > * why you've changed only these...

> Not sure if this is needed, since we do need to approve any workflow which runs from new contributors. It may be a contributor who has done more than...

Possible Solution in Place of Evidence - Instead of using evidence to prove that a push event happened, we can use gittuf to tell us if the pusher is the...

This solution is not technically replacing evidence; it is simply integrating it into the gittuf's existing workflows, where the evidence is the signature of the author of the attestation.

Currently the last test in verifyEntry is failing. This is because for some reason, even though the attesation is signed with an unauthroized key, it is not erroring out in...

:eyes: @adityasaky

I have fixed the faulty test, but for this to work, fetching Non-gittuf RSL entries now also fetches attestation entries as well, but does not include any others.

I would like to work on this